Changli Gao wrote: > It is not easy to spoof in both directions. Routers won't forward it if the destination is at the same side. Please don't top post. They don't need to forward anything, conntrack handles the packet before routing. > Patrick McHardy <kaber@xxxxxxxxx>写道: > >> Changli Gao wrote: >>> On Fri, Nov 27, 2009 at 5:42 PM, Jozsef Kadlecsik >>> <kadlec@xxxxxxxxxxxxxxxxx> wrote: >>>> On Fri, 27 Nov 2009, Changli Gao wrote: >>>> >>>>> Yes, as nf_conntrack_tcp_timeout_loose_unreply implied, it is for >>>>> picked up connections. >>>> Connection pickup can be disabled by proper rules or by setting >>>> nf_ct_tcp_loose to zero. So in which environment this third method is >>>> required? I'm curious what triggered you to write your patch. >>>> >>> In some condition, you can't disable it. It's why we export >>> nf_ct_tcp_loose. As a bridge, if its booting breaks connections, users >>> won't happy, so we must allow loose mode. >> That won't help much. If you're able to spoof packets, you might >> as well spoof packets for both direction so SEEN_REPLY is set. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html